BrianKrebsThis might have slipped under the radar these past few days, but a 9.8 RCE in Exim (on many, many mail servers) that does not require authentication is bad bad bad.
More info, from https://seclists.org/oss-sec/2023/q3/254
Exim4 MTA CVEs assigned from ZDI
From: Heiko Schlittermann <hs () nodmarc schlittermann de>
Date: Fri, 29 Sep 2023 18:06:11 +0200
Hello Exim users,
the ZDI assigned multiple CVEs to the Exim-MTA and published them recently:
CVE Link Exim-Bug
--------------+---------------------------------------------------------+-----
CVE-2023-42114 https://www.zerodayinitiative.com/advisories/ZDI-23-1468/ 3001 fixed
CVE-2023-42115 https://www.zerodayinitiative.com/advisories/ZDI-23-1469/ 2999 fixed
CVE-2023-42116 https://www.zerodayinitiative.com/advisories/ZDI-23-1470/ 3000 fixed
CVE-2023-42117 https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
CVE-2023-42118 https://www.zerodayinitiative.com/advisories/ZDI-23-1472/
CVE-2023-42119 https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
The ZDI contacted us in June 2022. We asked about details but didn't get answers we were able to work with.
Next contact with ZDI was in May 2023. Right after this contact we created project bug tracker for 3 of the 6 issues. 2 high scored of them are fixed (OOB access). A minor scored (info leak) is fixed too.
Fixes are available in a protected repository and are ready to be
applied by the distribution maintainers.
The remaining issues are debatable or miss information we need to fix them.
We're more than happy to provide fixes for all issues as soon as we receive detailed information.
Best regards from Dresden/Germany
Viele Grรผรe aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}:
Trina Wade@briankrebs Are you interested in a story? I really have information as a source that would I like to share with some investigative journalists about mass fraud and negligent homicide with American health insurance carriers as an insider
Mihugo@briankrebs thanks for the follow up. A bit scary in the sausage software factory as outlined in the links.
I blindly did an update on all my servers and was a bit surprised that I didn't see any exim patches and now I know why. Then again I don't run inbound email on any servers as life is too short to run your own email server in this spam world.
Bernard Quatermass@briankrebs For an authenticator plugin that is not built/installed on 99% of those many, many servers.
penguin42@QuatermassTools @briankrebs Where do you find that detail it's for the auth plugin?
Ozzie D, NP-hard 
@QuatermassTools @briankrebs I can't find details on this one at any of my usual sites. Do you have any other references?
Christian Lauf (Backupaccount)@QuatermassTools @briankrebs Where do you have that information from? I couldn't find any details.
AndreasThat timeline... ๐
06/14/22 โ ZDI reported the vulnerability to the vendor.
*silence*
04/25/23 โ The vendor asked us to re-send the reports.
*silence*
09/25/23 โ ZDI asked for an update and informed the vendor that we intend to publish the case as a zero-day advisory on 09/27/23.
VZ@briankrebs Some more (or any) details works really be great. Is this a vulnerability in a particular auth mechanism? I have hard time believing there would be something affecting all of them, but we had been shellshocked before...
@briankrebs Just for completeness, this doesn't seem bad enough for 9.8 if the information in https://www.openwall.com/lists/oss-security/2023/10/01/4 is correct and you're not using NTLM auth nor libspf2.
@briankrebs Hmm all of those unpatched cPanel hosts, eh? Sigh.
J@briankrebs
Whelp time to go check to make sure all the mail exchangers are patched...
Whelp time to go check to make sure all the mail exchangers are patched...
s/days/months/
Stuart Longland (VK4MSL)@briankrebs
> Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
Ouch!
Simon Richter@briankrebs @mutax it is especially bad since a lot of Debian systems defaulted to exim, and the people running them are probably unaware that it's installed. It should only be listening to localhost, but still.
Nightshades ๐& ฮธฮClearly retrocomputing is getting out of hand; now weโre bringing back classic CVEs from the 90s? smh ๐
Hamish M (VK3FSB)@briankrebs no advisory or updates from Debian yet, concerning